Let's Encrypt Free HTTPS Secures Cross-Signatures To Be A CA

Description

The continued march toward encrypting every online connection hit a noteworthy milestone last night when Let’s Encrypt announced that it was officially a Certificate Authority.

Let’s Encrypt is an open source movement to make HTTPS implementations simple and free of cost for domain owners. A month ago, Let’s Encrypt issued its first automated certificate and it promised then to have the beta certs it’s issued so far become valid and trusted in all major browsers.

Let’s Encrypt’s partner on this, IdenTrust, provided the cross-signatures necessary for this to happen, and now anyone surfing sites secured with a Let’s Encrypt certificate would not require a special configuration to access the site. Let’s Encrypt is now part of the IdenTrust certificate chain, signifying that it too can be trusted as a CA going forward.

“The certificates issued in the beta will be ‘real’ and will be accepted by browsers. Our service should be available to the public the week of Nov. 21, and will be free of charge, including for commercial uses,” said Electronic Frontier Foundation (EFF) staff technologist Seth David Shoen. “It was a lot of work to get to this point. The PKI system famously has a lot of bureaucracy and we had to draft a lot of policy documents.”

A coalition of technology companies, including Mozilla, Cisco, Akamai, Automattic and IdenTrust, joined the EFF and the University of Michigan late last year in getting Let’s Encrypt off the ground; the initiative is overseen by a California non-profit called Internet Security Research Group (ISRG).

Since the Snowden revelations began in earnest more than two years ago, technology providers have accelerated efforts to make HTTPS the default online.

“I think Let’s Encrypt will be transformative for web security, because anyone will be able to enable HTTPS on their web site for free in about a minute,” Schoen said. “I think we’ll provide the opportunity for a lot of infrastructure providers to change the default and start offering HTTPS by default for all their users. It will still take some more infrastructure work to interoperate smoothly with every platform and
environment, but having the back-end CA in place is the most difficult step, and now it exists.”

The Let’s Encrypt movement has had a steady cadence in its approach to this milestone, starting with the technology companies standing it up, to its partnership with IdenTrust, to the arduous construction of a secure infrastructure to house the encryption keys and hardware security modules pertinent to the project. Let’s Encrypt also had to build a trustworthy authentication mechanism, EFF chief computer scientist Peter Eckersley told Threatpost last month. The mechanism is called Boulder and is written on a new protocol called ACME, short for Automated Certificate Management Environment.

“This allows people to make automated requests for certs, and allows CAs to respond with a list of challenges before a cert is issued,” Eckersley said.

Eventually, webmasters will merely have to run a client to authenticate their server. They’ll also be able to enable features on their site like HTTP Strict Transport Security (HSTS), OCSP stapling and making sure that visitors to the old HTTP version of their site are redirected to the new HTTPS version.

Let’s Encrypt is hosting a demo site where one of its newly accepted certs is working in the real world. Users can also view the chain, which includes three certs,” Schoen said.

“The root is “DST Root CA X3”, which is the name of one of the root CA certificates owned by IdenTrust. The newly issued thing in the middle is “Let’s Encrypt Authority X1″, which is the name of our intermediate CA, and if you click on it you see a digital certificate from DST Root CA X3 that says that Let’s Encrypt Authority X1 is a real CA,” Schoen said. “At the bottom is the end-entity certificate issued by Let’s Encrypt Authority X1 which describes the cryptographic key used by the site “helloworld.letsencrypt.org“. Because the middle link in the chain was created yesterday, the browser will accept what Let’s Encrypt Authority X1 said about this site.”

All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please mail to content@vulners.com Vulners, 2017

Protected by

{"references": ["https://threatpost.com/first-lets-encrypt-free-certificate-goes-live/114675/", "https://threatpost.com/onelogin-securenotes-breach-exposes-data-in-cleartext/120278/", "https://helloworld.letsencrypt.org/", "https://letsencrypt.org/2015/10/19/lets-encrypt-is-trusted.html", "https://threatpost.com/fairware-attacks-targeting-linux-servers/120254/", "https://letsencrypt.org/repository/", "https://threatpost.com/privacy-groups-file-ftc-complaint-over-whatsapp-data-sharing-with-facebook/120218/", "http://helloworld.letsencrypt.org/"], "edition": 1, "description": "The continued march toward encrypting every online connection hit a noteworthy milestone last night when Let\u2019s Encrypt announced that it was [officially a Certificate Authority](<https://letsencrypt.org/2015/10/19/lets-encrypt-is-trusted.html>).\n\nLet\u2019s Encrypt is an open source movement to make HTTPS implementations simple and free of cost for domain owners. A month ago, [Let\u2019s Encrypt issued its first automated certificate](<https://threatpost.com/first-lets-encrypt-free-certificate-goes-live/114675/>) and it promised then to have the beta certs it\u2019s issued so far become valid and trusted in all major browsers.\n\n### Related Posts\n\n#### [OneLogin SecureNotes Breach Exposed Data in Cleartext](<https://threatpost.com/onelogin-securenotes-breach-exposes-data-in-cleartext/120278/> \"Permalink to OneLogin SecureNotes Breach Exposed Data in Cleartext\" )\n\nAugust 31, 2016 , 3:04 pm\n\n#### [Fairware Attacks Targeting Linux Servers](<https://threatpost.com/fairware-attacks-targeting-linux-servers/120254/> \"Permalink to Fairware Attacks Targeting Linux Servers\" )\n\nAugust 31, 2016 , 10:21 am\n\n#### [Privacy Groups File FTC Complaint over WhatsApp Data Sharing with Facebook](<https://threatpost.com/privacy-groups-file-ftc-complaint-over-whatsapp-data-sharing-with-facebook/120218/> \"Permalink to Privacy Groups File FTC Complaint over WhatsApp Data Sharing with Facebook\" )\n\nAugust 30, 2016 , 12:23 pm\n\nLet\u2019s Encrypt\u2019s partner on this, IdenTrust, provided the cross-signatures necessary for this to happen, and now anyone surfing sites secured with a Let\u2019s Encrypt certificate would not require a special configuration to access the site. Let\u2019s Encrypt is now part of the IdenTrust certificate chain, signifying that it too can be trusted as a CA going forward.\n\n\u201cThe certificates issued in the beta will be \u2018real\u2019 and will be accepted by browsers. Our service should be available to the public the week of Nov. 21, and will be free of charge, including for commercial uses,\u201d said Electronic Frontier Foundation (EFF) staff technologist Seth David Shoen. \u201cIt was a lot of work to get to this point. The PKI system famously has a lot of bureaucracy and we had to draft a lot of [policy documents](<https://letsencrypt.org/repository/>).\u201d\n\nA coalition of technology companies, including Mozilla, Cisco, Akamai, Automattic and IdenTrust, joined the EFF and the University of Michigan late last year in getting Let\u2019s Encrypt off the ground; the initiative is overseen by a California non-profit called Internet Security Research Group (ISRG).\n\nSince the Snowden revelations began in earnest more than two years ago, technology providers have accelerated efforts to make HTTPS the default online.\n\n\u201cI think Let\u2019s Encrypt will be transformative for web security, because anyone will be able to enable HTTPS on their web site for free in about a minute,\u201d Schoen said. \u201cI think we\u2019ll provide the opportunity for a lot of infrastructure providers to change the default and start offering HTTPS by default for all their users. It will still take some more infrastructure work to interoperate smoothly with every platform and \nenvironment, but having the back-end CA in place is the most difficult step, and now it exists.\u201d\n\nThe Let\u2019s Encrypt movement has had a steady cadence in its approach to this milestone, starting with the technology companies standing it up, to its partnership with IdenTrust, to the arduous construction of a secure infrastructure to house the encryption keys and hardware security modules pertinent to the project. Let\u2019s Encrypt also had to build a trustworthy authentication mechanism, EFF chief computer scientist Peter Eckersley told Threatpost last month. The mechanism is called Boulder and is written on a new protocol called ACME, short for Automated Certificate Management Environment.\n\n\u201cThis allows people to make automated requests for certs, and allows CAs to respond with a list of challenges before a cert is issued,\u201d Eckersley said.\n\nEventually, webmasters will merely have to run a client to authenticate their server. They\u2019ll also be able to enable features on their site like HTTP Strict Transport Security (HSTS), OCSP stapling and making sure that visitors to the old HTTP version of their site are redirected to the new HTTPS version.\n\nLet\u2019s Encrypt is hosting a [demo site](<https://helloworld.letsencrypt.org/>) where one of its newly accepted certs is working in the real world. Users can also view the chain, which includes three certs,\u201d Schoen said.\n\n\u201cThe root is \u201cDST Root CA X3\u201d, which is the name of one of the root CA certificates owned by IdenTrust. The newly issued thing in the middle is \u201cLet\u2019s Encrypt Authority X1\u2033, which is the name of our intermediate CA, and if you click on it you see a digital certificate from DST Root CA X3 that says that Let\u2019s Encrypt Authority X1 is a real CA,\u201d Schoen said. \u201cAt the bottom is the end-entity certificate issued by Let\u2019s Encrypt Authority X1 which describes the cryptographic key used by the site \u201c[helloworld.letsencrypt.org](<http://helloworld.letsencrypt.org/>)\u201c. Because the middle link in the chain was created yesterday, the browser will accept what Let\u2019s Encrypt Authority X1 said about this site.\u201d", "title": "Let's Encrypt Free HTTPS Secures Cross-Signatures To Be A CA", "viewCount": 4, "cvelist": [], "type": "threatpost", "history": [], "cvss": {"score": 0.0, "vector": "NONE"}, "reporter": "Michael Mimoso", "published": "2015-10-20T15:30:00", "modified": "2015-10-20T19:30:25", "threatPostCategory": "Cryptography", "bulletinFamily": "info", "lastseen": "2016-09-04T20:50:47", "objectVersion": "1.2", "hash": "fb2dcf7e472e0713c55eefebe1e964c295f4332c6a411c0a61a29f4ed6287369", "href": "https://threatpost.com/lets-encrypt-hits-another-free-https-milestone/115114/", "id": "LETS-ENCRYPT-HITS-ANOTHER-FREE-HTTPS-MILESTONE/115114", "enchantments": {"vulnersScore": 9.4}}